It looks soooo basic that the Spring documentation thought it deserves one single row of text – which I quote here:

89.1 Switch off the Spring Boot Security ConfigurationIf you define a @Configuration with a WebSecurityConfigurerAdapter in your application, it switches off the default webapp security settings in Spring Boot.

Well, not exactly. You define that thing and… nothing remarkable happens: you get the same generated security password and the same login form greets you when you access your pages. Ack. Stackoverflow and many blog posts come up with all kinds of long and so obviously copy-n-pasted solutions… ugly ugly ugly. What then?

Turns out, the missing bit was that you should OVERRIDE the configuration functions so they actually do nothing: no authentication manager (so no generated passwords thank you) and no HTTP security – at all. And of course tell Spring it’s web security you’re talking about. This being said, your new bean will look like this: